TICSA Telecommunications (Interception Capability and Security) Act 2013 Guidance for Network Operators www.gcsb.govt.nz www.ncsc.govt.nz Draft In-Confidence Contents Introduction.............................................................................................................................2 Overview of the Guidance......................................................................................................3 Focus of the network security part of TICSA: New Zealand’s National Security..............4 Section 1: What are the General Requirements?.................................................................6 Registration............................................................................................................................................................. 6 Security Cleared Personnel................................................................................................................................... 6 Section 2: What and When to Notify.....................................................................................8 Network Operators Duty to Engage in Good Faith............................................................................................ 8 “Proposed decision, course of action, or change…”........................................................................................... 9 “… decision, course of action or change”............................................................................................................. 9 Standard builds.................................................................................................................................................... 10 Bulk changes......................................................................................................................................................... 10 “Areas of Specified Security Interest”................................................................................................................. 10 Changes made prior to 11 May 2014 ................................................................................................................ 11 Section 46(1) – Identified Potential Network Security Risks............................................................................ 12 Exemptions from Duty to Provide Notification................................................................................................ 12 Proposed Exemptions.......................................................................................................................................... 13 If in Doubt… .......................................................................................................................................................... 14 Form of Notification............................................................................................................................................. 14 Section 3: How does it Work? A Step By Step Guide..........................................................16 The Network Proposal Process........................................................................................................................... 16 Section 4: Understanding Risks............................................................................................18 Consideration of Network Security Risk............................................................................................................ 18 Assessment of a Plan to Prevent or Sufficiently Mitigate a Network Security Risk...................................... 19 Communication of Outcomes............................................................................................................................. 19 Summary of Timeframes..................................................................................................................................... 20 Section 5: Referrals................................................................................................................21 Referral to the Minister ...................................................................................................................................... 21 Guidance Revisions.............................................................................................................................................. 22 Telecommunications (Interception Capability and Security) Act 2013 1 Draft In-Confidence Introduction The following Guidance has been prepared to support the implementation and the on-going management of the network security part (Part 3) of the Telecommunications (Interception Capability and Security) Act 2013 (the TICSA). It sets out the process established by the TICSA and is designed to assist network operators and the Government Communications Security Bureau (the GCSB) to work co-operatively and collaboratively with each other, so that network security risks can be identified and addressed as early as possible. To ensure the network security process is implemented and operates in a pragmatic and practical way for the telecommunications industry, the GCSB will work together with network operators in an on-going dialogue based on good faith. Network Operator or Service Provider? A network operator (as defined in section 3 of the TICSA) is; a) a person who owns, controls, or operates a public telecommunications network; or, b) a person who supplied (whether by wholesale or retail) another person with the capability to provide a telecommunications service. A service provider (also defined in section 3 of the TICSA) is; a) means any person who, from within or outside New Zealand, provides or makes available in New Zealand a telecommunications service to an end-user (whether or not as part of a business undertaking and regardless of the nature of that business undertaking); but b) does not include a network operator. The Network Security provisions in Part 3 of the Act only apply to Network Operators as defined in the TICSA. The TICSA was passed in November 2013 and relates to obligations on New Zealand’s telecommunications network operators in two key areas – interception capabilities and network security. Part 2 of the TICSA relates to a network operator’s obligation to ensure public telecommunications networks are ‘intercept capable’ to enable authorised government agencies to conduct lawful interception in accordance with their legal authority. This Guidance does not deal with Part 2 (Interception capability duties) obligations. For guidance on interception capability obligations and registration, network operators should contact the New Zealand Police1 who have released a separate guidance paper. Part 3 of the TICSA relates to network security and outlines a framework under which network operators are required to engage with the GCSB about changes and developments with their networks where these intersect with national security. The framework sets out a path to identify and address, prevent, mitigate, or remove the network security risks which may arise. 1http://www.police.govt.nz/about-us/programmes-and-initiatives/telecommunications-interception-capability-security-act-2013 2 National Cyber Security Centre Draft In-Confidence Section 7 of the TICSA; Purpose of this Act relating to network security; The purpose of this Act in relation to network security is to prevent, sufficiently mitigate, or remove security risks arising from— (a) the design, build, or operation of public telecommunications networks; and (b)interconnections to or between public telecommunications networks in New Zealand or with networks over-seas. The TICSA (section 8) also sets out principles relating to network security that must, as far as practicable, be applied by both the Director and each network operator in relation to network security risks. Those principles are: a) The principle that network security risks that might arise from a proposed decision, course of action, or change if implemented should be identified and addressed as early as possible: b) The principle that the Director and each network operator should work co-operatively and collaboratively with each other in relation to the principle in paragraph (a). Overview of the Guidance This Guidance is issued by the Director of the GCSB under section 58 of the TICSA, to provide information about the requirements on network operators under the network security parts of the TICSA. The Guidance does not replace the words of the TICSA itself, but is intended to give network operators more detail on what to expect and what is required from the process. It sets out the GCSB’s understanding of the processes that will implement the TICSA’s network security framework. It is intended to inform network operators of their obligations and duties as they relate to network security under TICSA, in particular; • identify the types of network proposal the GCSB requires notification of; • identify the types of network proposal the GCSB does not require notification of; • outlines the process by which the GCSB can grant exemptions to the duty to notify; • outlines the process through which the GCSB will assess proposals and communicate responses; and • establishes expected timeframes and information required to be supplied with a proposal. This Guidance is not binding on network operators, however, in any court proceedings related to TICSA, compliance with the Guidance will be treated as evidence of compliance with the applicable requirements in the legislation (section 58). The TICSA places the government’s obligations in the network security process on the Director of the GCSB and so refers to “the Director” throughout Parts 3 and 4. A team in GCSB’s National Cyber Security Centre (NCSC) is tasked to work on this process and they will be the primary point of contact available for network operators. For ease of reference, the Guidance refers to “the GCSB” when describing the duties placed on the GCSB’s Director under TICSA. This Guidance is the result of a process of consultation with network operators. The GCSB will continue to work with network operators on the use and development of the Guidance. Any questions about the Guidance can be sent to: ticsa@ncsc.govt.nz Telecommunications (Interception Capability and Security) Act 2013 3 Draft In-Confidence Focus of the network security part of TICSA: New Zealand’s National Security The focus of the network security part of the TICSA is the prevention, mitigation or removal of network security risks. The GCSB will work with network operators co-operatively and collaboratively so that risks to New Zealand’s national security, arising from the design, build or operation of public telecommunications networks and their interconnection to other networks both domestically and overseas, are identified and addressed. Proposed decisions, courses of action or changes notified by network operators (called “proposals”) are considered by the GCSB to identify whether they would raise a network security risk. “Network security risk” has a specific meaning under TICSA, it is defined as; “any actual or potential security risk arising from – (a)The design, build or operation of a public telecommunications network; or (b)Any interconnection to or between public telecommunications networks in New Zealand or with telecommunications networks overseas.” “Security risk” is also defined by TICSA; “it means any actual or potential risk to New Zealand’s national security.” While “national security” is not specifically defined, for the purposes of the network security provision of the TICSA, its meaning is found in the list of factors that the GCSB must consider when deciding if a proposal presents a network security risk. Section 50 is set out in full later in this Guidance, however in short, a network security risk requires consideration of the likelihood that the proposal will lead to; • the compromise or degradation of the public telecommunications network; • the impairment of the confidentiality, availability or integrity of telecommunications across the network; and, • the potential effect of that on the provision of important services (including for example, central or local government services, health or transport services). In some cases, a “network security risk” as defined above, may also be or overlap with a common security risk. The difference is in how that risk may be exploited by specific threat actors, and the impact that it may have on critical national networks and services. The focus on New Zealand’s national security in the Act means that the duty to notify under the TICSA is limited to: • Proposals that affect parts of networks which are designated “areas of specified security interest” – these are the areas where these network security risks are more likely to arise (section 48 of the TICSA); and • Situations when the network operator becomes aware of any network security risk that may arise if a proposal is implemented (in any part of the network) (section 46(1) of the TICSA). It also means that any consideration of a proposal that is found not to give rise to a “network security risk” has only been reviewed in relation to New Zealand’s national security, and not broader network security risks which a network operator might commonly consider (such as privacy, or commercial security controls). The GCSB’s consideration of proposals will not constitute an endorsement of the proposal in any broader security sense, and must not be considered as a substitute for standard business risk assessments, standard due diligence, enterprise security reviews or any other form of assessment that a network operator would usually perform when initiating a new project or change. 4 National Cyber Security Centre Draft In-Confidence Similarly, while employing good information assurance practises supports the security of networks, the GCSB will not consider in its assessment adherence to ‘information assurance’ practices (which network operators would commonly use as part of their normal business practice) such as; • adherence to international standards; • privacy protection obligations; • any duties required of network operators under New Zealand legislation (other than TICSA); or • any other network security risk that does not involve a risk to national security. Telecommunications (Interception Capability and Security) Act 2013 5 Draft In-Confidence Section 1: What are the General Requirements? Registration Under Part 4 of the TICSA, network operators are required to register (section 60). The Register has been established, and is maintained by the New Zealand Police. A registrar has also been appointed. Information about the Register and the registration process is available from the New Zealand Police. Network operators must be registered within 3 months from 11 February 2014 (or within 3 months after becoming a network operator). Once submitted, registration details need to be kept up-to-date with an annual review from November 2015. If an organisation is uncertain whether they meet the definition of a network operator they should contact the Registrar. Enquiries about registration should be directed to New Zealand Police, which oversee the registration process. Network operators can register by completing a form made available by contacting the Registrar through the New Zealand Police website.2 Security Cleared Personnel To assist the GCSB and network operators to work together on network security risks, network operators may nominate a suitable employee (or employees) to apply for a SECRET level GCSB sponsored security clearance. Network operators may also, upon request, be required to nominate an individual for security clearance (section 75). Having cleared staff within network operators allows the GCSB to share certain information about network security risks that is classified. While these individuals cannot pass classified information to un-cleared colleagues, they will be able to give informed guidance on identifying and addressing network security risks. If a network operator does not have cleared staff, the GCSB will still seek to engage with them, and share what information it can about network security risks. As a guide when considering which employees to nominate to be cleared, network operators should consider; • the position of those people within their organisation; • the minimum number of people required to be cleared to respond if a network security risk is identified in a proposal; and • whether the nominated employees hold sufficient technical knowledge to understand the nature of the risk conveyed. Network operators should only nominate staff they believe are likely to obtain and maintain a clearance, and to nominate as few employees as possible to sufficiently support their organisation in fulfilling this function. As a guide, nominated staff should be New Zealand citizens who have lived in New Zealand for at least 10 years. 2http://www.police.govt.nz/about-us/programmes-and-initiatives/telecommunications-interception-capability-security-act-2013 6 National Cyber Security Centre Draft In-Confidence To apply for clearance for the network security provisions of the TICSA, network operators should contact the GCSB via email to ticsa@ncsc.govt.nz with the following information about the nominated person: –– name –– date of birth –– whether they are a New Zealand citizen or permanent resident (if the latter, the date they arrived in New Zealand) –– company –– role within the company –– contact numbers –– email address A representative from the GCSB will respond within 3 business days and suitable candidates will be referred to initiate the clearance process. It should be noted that the clearance process is not run by the GCSB, and may take a significant length of time. Candidates who receive their clearance will be notified in writing. Telecommunications (Interception Capability and Security) Act 2013 7 Draft In-Confidence Section 2: What and When to Notify Network Operators Duty to Engage in Good Faith Section 46(2) of the TICSA; A network operator must act honestly and in good faith when engaging with the Director in relation to any matter in this Part [Part 3]. The obligation in section 46(2) to act honestly and in good faith is relevant for network operators and GCSB’s engagement with each other throughout the TICSA network security processes. As a concept “good faith” is difficult to define in isolation and so is best understood by reference to duties in the TICSA. For example, network operators would be acting in good faith when they consider and identify proposals that need to be notified, and do so with sufficient time for the GCSB to consider a proposal to determine whether it raises any network security risk. Similarly, a network operator notifying the GCSB of a network security risk they become aware of as soon as they have identified and considered it, is acting in good faith. Good faith also underlines a network operator’s obligation under s 46(3) to provide the GCSB with access to its employees, contractors or agents that are best placed to assist the GCSB in relation to a matter under Part 3 of the TICSA. When to Notify The duty to notify or engage with the GCSB about certain proposed decisions, courses of action or changes is found in sections 48 and 46(1) of the TICSA. It is important to keep in mind that not all proposals require notification. This section explains what kinds of proposals need to be notified, and when. The TICSA framework ensures the GCSB receives, with the collaboration and input of network operators, the information needed to properly consider, and make decisions about network security risks. The GCSB will follow the same process to identify and address network security risks for proposals notified under both sections 48 and 46(1). Section 48 – Proposals Affecting Areas of Specified Security Interest Section 48 of the TICSA creates the obligation for network operators to notify the GCSB of proposals (proposed decisions, courses of action or changes) in regard to certain parts of their network. 8 National Cyber Security Centre Draft In-Confidence Section 48 Network operator must notify Director (1) A network operator must notify the Director of any proposed decision, course of action, or change made by or on behalf of the network operator regarding— (a) the procurement or acquisition of any equipment, system, or service that falls within an area of specified security interest; or (b) any change— (i) to the architecture of any equipment, system, or service that falls within an area of specified security interest; or (ii) that may affect the ownership, control, oversight, or supervision of any equipment, system, or service that falls within an area of specified security interest. (2) The network operator must— (a) comply with subsection (1)(a) before any steps are taken, as part of the procurement or acquisition decision-making process, to approach the market (whether by request for quote, tender , or otherwise) or comply with subsection (1)(b) during the development of a business or change proposal; and (b) ensure any notice given to the Director in compliance with subsection (1) is given within sufficient time for the Director to consider whether to take action under section 51. “Proposed decision, course of action, or change…” The timing of notification is important. Network Operators are required to notify the GCSB at the stage when the decisions, courses of action or changes described are still proposals, yet to be implemented. If a network operator is looking at procurement or acquisitions, TICSA requires they must notify the GCSB before taking any steps, as part of the procurement or acquisition decision-making process, to approach the market (whether by request for quote, tender , or otherwise). This means, for example, that notification is required either prior to (or at the time) a Request for Proposals (RFP) is issued. If a network operator does not use a RFP process or similar, notification is required before making the decision about procurement. Providing notification before issuing a Request for Information (RFI) from vendors may in many cases be too early, however some network operators may choose to provide notification at this point if the scope of the proposal is narrowed so it can be practically assessed. With any other change to the network in an area of specified security interest, network operators are required to notify the GCSB during the development of a business or change proposal. These requirements are to ensure the GCSB has sufficient time to consider proposals and take action if needed. They also enable any network security risks to be identified and addressed as early as possible in the network operator’s procurement or change process. Allowing sufficient time for the GCSB to consider proposals will also help ensure minimal disruption to network operators’ plans. “… decision, course of action or change” A proposed decision, course of action or change includes standard builds which might cover a particular change replicated at many points of a network, and also ‘bulk changes’ – a series of changes that can be treated as one overarching ‘bulk change’. Network operators can submit a single (rather than repeated) notification for a standard build or a bulk change. Telecommunications (Interception Capability and Security) Act 2013 9 Draft In-Confidence Standard builds A standard build may be a consistently procured equipment build or network addition, which is replicated throughout the network. Notification of the standard build is only required in the first instance, provided the build does not change to a type of equipment that has not been previously submitted by that network operator. In instances where a standard build is used, notification should also include details of the geographic locations in which it is intended to be deployed. An example of a standard build would be a build which is replicated across the country. In such a case, a notification of proposal which specifies which equipment will be used, the oversight and control mechanisms and the geographic locations that the build will be deployed in would be sufficient notification for all deployments of the same build (provided no network security risks are identified). Should the standard build change from that notified to the GCSB, a new notification would need to be submitted, that outlines what is changing in the new build. Bulk changes In addition, one notification may be submitted for a standard set of equipment to be used in a network proposal, i.e. a bulk change. This could include all versions of a certain type of networking equipment, and the software/firmware builds that are likely to be deployed on it. Notification could also be supplied for a specific product range which may change incremental versions over time. Once the GCSB has considered the proposal covering the product range, the equipment would be able to be deployed on the network without the need to submit a new notification. One example of a bulk change would be a notification of proposal which outlines a product range of network cards which would be deployed in a network switch. Once assessed, provided no network security risks were identified, the equipment would be able to be deployed without needing a new notification (such as a capacity upgrade). However there are some practical limitations to notifications of bulk changes. A notification with an excessive number of equipment types or for an entire vendor’s product range does not amount to notification of a bulk change. “Areas of Specified Security Interest” Only proposed decisions, courses of action or changes that affect an “area of specified security interest” need to be notified under section 48. Section 47 of the TICSA defines term: (1) In this section and section 48, an area of specified security interest, in relation to a network operator, means— (a) network operations centres: (b) lawful interception equipment or operations: (c) any part of a public telecommunications network that manages or stores— (i) aggregated information about a significant number of customers: (ii) aggregated authentication credentials of a significant number of customers: (iii) administrative (privileged user) authentication credentials: (d) any place in a public telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either data in transit or stored data: (e) any area prescribed under subsection (2). 10 National Cyber Security Centre Draft In-Confidence Although many of these terms are common to network operators, some further guidance on what they mean is provided below. a) Network Operations Centres (NOC) – The NOC is the function or functions through which network operations are controlled, either as a function distributed among business units, or as a discrete business unit in itself. This includes Security Operations Centres (SOCs) if distinct from the NOC (since they also perform key functions of network governance and oversight). Proposals that affect the operation of the NOC or SOC, their oversight, control, and effective supervision, as well as core equipment used must be notified. b) Lawful interception equipment or operations – Any equipment designed to facilitate the lawful interception of communications on a network, which is permanently installed on the network, or able to be installed on request. For the purposes of this guidance, this also includes hardware or software which supports or facilitates this function. c) Parts of networks that manage or store aggregates of information – These are the places where sensitive information is likely to be stored, making the systems hardware and its support/operation of specific security interest. i. Aggregated information about a significant number of customers. This refers to: • Databases which store data in bulk, such as call records or network traffic data. • Operations Support Systems (OSS), or Business Support Systems (BSS) and other forms of business customer databases. • Proposals affecting the equipment or systems which interact directly and modify the network core require notification. ii. Aggregated authentication credentials of a significant number of customers. This refers to: • Areas of the network which store authentication credentials & encryption keys. • The Evolved Packet Core (EPC) and the Home Location Register (HLR/HSS) in mobile networks. iii. Administrative (privileged user) authentication credentials. This refers to: • Places where privileged user credentials are stored and audit and oversight controls are retained. d) Places where data belonging to customers or end users, aggregates in large volumes, either in transit or at rest. – In particular, this covers: i. Large databases which reside in the core of the network and customer Voice Mail Systems (VMS), large email or message systems; and ii. Points of interconnection or intersection with other networks, and other areas over which a significant proportion of the traffic on the network travels, in each case where the volume of traffic is, in absolute terms, 15% or greater of the total traffic travelling over the network. Changes made prior to 11 May 2014 Network operators do not need to notify GCSB of decisions, courses of action or changes which were initiated prior to the TICSA coming into effect on 11 May 2014. If a decision, course of action or change is not implemented before 11 May, and after 11 May is changed substantively (such as the re-issuing of an RFP), the decision, course of action or change falls within section 48, the network operator must notify the GCSB. Telecommunications (Interception Capability and Security) Act 2013 11 Draft In-Confidence Section 46(1) – Identified Potential Network Security Risks A network operator must engage with the GCSB as soon as practicable after becoming aware of any network security risk that may arise if the proposed decision, course of action, or change is implemented. If a network operator becomes aware that by implementing a proposed decision, course of action or change – to any part of their network – a network security risk may arise, they are required to engage with the GCSB. In some cases a known security risk may be identified in a network by a network operator. A network operator can look to the factors listed in section 50 of the TICSA to help identify if an implemented decision, course of action, or change might give rise to a “network security risk”. To keep the network security processes streamlined, network operators will need to notify the GCSB of the possible network security risk using the notification template supplied. For ease of consideration these will be treated in the same way as a section 48 notification. Exemptions from Duty to Provide Notification Exemptions from the duty to notify can be granted by the Director of the GCSB, but only if satisfied that the granting of an exemption will not give rise to a network security risk (section 49). Exemptions can be granted to individual network operators or a class of network operators. The GCSB will notify individual network operators directly in writing of any exemption applying only to them. Exemptions that apply to a class of network operators will be published on the GCSB website. Written notification will also be sent to all network operators falling in that class. Network operators will be able to request exemptions from the GCSB using a template that will be supplied. They will need to provide enough information to allow consideration of whether granting the exemption would give rise to a network security risk or not. Exemptions have to be set out in a separate notice issued by the Director. When the TICSA comes into force, any exemptions the Director decides to grant as a result of the consultation process around this document will be notified to network operators. The following proposals do not need to be notified because they fall outside the TICSA’s notification requirement. • Proposals initiated prior to the network security provisions of the TICSA coming into force (11 May 2014) • Changes to areas of networks outside section 47 (Areas of Specified Security Interest), unless the changes may give rise to a network security risk (section 46 (1)). • Any area/change outside of the network operator’s control. The following exemptions are currently under consideration. If they are granted, the Director will issue an emption notice. The exemptions would come into effect at the same time as the TICSA, on 11 May 2014. Please note these areas are not exempt until a Director’s exemption notice is issued. 12 National Cyber Security Centre Draft In-Confidence Proposed Exemptions This Guidance paper proposes that notification will not be required for the following: • Any change to a network which is a part of the maintenance, support, and day to day running of a network to ensure its availability This includes: • patching, software or firmware version updates, • changes which do not alter the architecture or configuration of the network, • changes to equipment, systems or services which supply infrastructure support (including power, air conditioning & fire suppression systems), • equipment, systems or services used in generic office management (such as office supplies, printers, fax machines, desktop computers or thin clients, screens), • changes to routing within the network. The exemption does not include a change to a network which is a part of the maintenance, support and day to day running of a network to ensure its availability that has been specifically identified as a change that could give rise to a network security risk during GCSB’s consideration of an earlier proposal. • Changes in configuration or layout of any network equipment, system or service provided they do not impair the network operators effective ownership, control, oversight, or supervision of any equipment, system, or service (inconsequential changes). • Changes to augment or optimise existing network, systems or services with equipment, systems or services of the same make, model or type. • Updates to fix bugs, and replacements necessary to resolve faults in any network equipment, system or service. • Any change to equipment, systems or services which has previously been notified to the GCSB and no network security risk was identified, provided the change to the equipment, system or service does not materially differ from the proposal previously considered, and provided the change does not affect the ownership, control, oversight, or supervision of any equipment, system, or service. This covers for example, the procurement or replacement of equipment that has previously been considered by GCSB under the TICSA process with no network security risk identified, provided it is the same make, model and type. If the replacement equipment is significantly different, a new proposal will need to be submitted. • Any standard build or bulk change which has been previously notified can be replicated without the need for a new notification, provided it was considered by GCSB not to give rise to any network security risks. This is also provided that the build or bulk change do not change in a way that is different to what was considered. Any changes to what was notified as a standard build or bulk change need to be notified to the GCSB as a new proposal. • Any testing, experimentation or trials on equipment connected to the network that started before the network security provisions of the TICSA came into force, or any testing, experimentation or trials on equipment that is not connected to the public telecommunications network. For example, this would cover testing conducted in a staging environment prior to being deployed on a production environment, provided suitable controls have been employed to isolate their test environment from their production network. • Any decision, course of action or change that is the implementation of the results of a test, experiment or trial that was previously notified to the GCSB and: –– No network security risk was identified by the GCSB; or –– The network operator provided a mitigation plan that was accepted by the GCSB as preventing or sufficiently mitigating the identified network security risk. Telecommunications (Interception Capability and Security) Act 2013 13 Draft In-Confidence • Any replacement of existing equipment, systems or services already installed on a network before the network security provisions of the TICSA came into force, with equipment, services or systems of the same make, and similar model. A “similar model” includes standard upgrades, or logical version replacements. If the replacement equipment, systems or services are of a different make, notification of a proposal will need to be submitted. • Replacements of existing network equipment, systems or services of the same make, or model, including standard upgrades, or logical version replacements (such as in-line replacements for equipment at the end of its supported life, or equipment which is of the same type but has greater capacity to perform the same function i.e. capacity upgrades). • Any accelerated business change process (emergency changes) that requires deployment of a solution to maintain the availability of a network, or any service or product that operates on that network before notification can reasonably be given, provided that the network operator notifies the GCSB as soon as practicable after the change is made. • Any customer premise equipment (CPE) deployed onto a private network that is not owned, operated or controlled by the network operator, provided it is not configured to modify or control the core network of the operator in a way which could affect the ownership, control, oversight, or supervision of any equipment, system, or service. This includes for example home routers, or servers and databases sold to a business customer, provided the operator’s network is configured to limit the customers’ ability to modify the core of the network. If in Doubt… Especially at the start of the TICSA process, network operators may be unsure whether a specific proposal needs to be notified or not. Network operators can contact the GCSB for general guidance about the scope of the notification requirements, but for the avoidance of doubt, network operators should notify the GCSB of the proposal through the template notification form. If the GCSB receives a notification of a proposal that does not in fact fall within the TICSA requirements, network operators will be contacted as soon as possible to let them know the notification is not required. Form of Notification A standard template has been created for all network operators to notify the GCSB of proposals. The GCSB will only accept notifications made using this template. This will assist in the speed of consideration by ensuring a consistent approach by all network operators and that all necessary information is provided up front. Notification will not be considered to have been made, until all relevant and necessary information has been provided by the network operator to the GCSB. The Notification template will be made available on the GCSB website before 11 May 2014. Notifications can then be submitted in hard copy or by email. In order to ensure the GCSB is able to consider whether the proposal gives rise to a network security risk, the following information will be required on the template; • Nature of the proposal, objectives, what it is replacing or if it is a new system, the service or function, and an outline of the design and security considerations (self-identified). • Hardware, software, vendors, services used and any subcontractors expected to be involved in or considered under the proposal (if known). • Which section the notification is made under: 14 –– section 48 (proposed decisions, courses of action or changes affecting areas of specified security interest) or, –– section 46(1) (network operator has identified a potential network security risk regarding any part of their network). National Cyber Security Centre Draft In-Confidence • Timeframes the network operator is working to (such as proposed dates of RFP or similar process, decision making timeframes). • Any identified security risks in the proposal. • Any additional information relevant to assess the proposal, (this can include material taken from business cases, security/risk assessments; details of any applicable standards used, and network architecture diagrams). • When providing notification about a change to Services, network operators will need to provide sufficient information to understand the service that will be provided, how the effective ownership, oversight and control is exercised and the security controls that will be employed. • Points of contact for further information including; –– Full Name –– Position Title –– Contact Phone Numbers –– Email Address –– Physical Address –– Clearance Status (if known) After submitting their notification of a proposal to the GCSB, network operators can continue with the planning phase of their project while their proposal is considered. Telecommunications (Interception Capability and Security) Act 2013 15 Draft In-Confidence Section 3: How does it Work? A Step By Step Guide The Network Proposal Process This section sets out the steps for Network Operators and the GCSB in the network security process. The process is illustrated in the ‘Network Proposal Process’ (Figure 1) on page 17 The Process 1. If a network operator is considering a proposed decision, course of action or change in relation to its network (i.e. a proposal) the network operator must consider whether it has to be notified to the GCSB: • If it affects an area of specified security interest (section 48), or • The network operator believes it gives rise to a potential network security risk (section 46(1)), • And is not covered by an exemption (section 49). 2. If the proposal does not affect an area of specified security interest, or is covered by an exemption, then no notification is required and the Network Operator can proceed with the proposal. 3. If it is unclear whether a proposal falls within the notification requirements of sections 48 or 46(1), or is covered by an exemption, for the avoidance of doubt, Network Operators should notify the GCSB. 4. If the proposal does fall within the notification requirements, then details of the proposal, containing all of the information outlined in this Guidance, and the template, must be supplied to the GCSB. 5. The GCSB will consider whether the proposal gives rise to a network security risk In doing so, the GCSB must consider the factors outlined in section 50(1)(a), (b) and (c) of the TICSA. 6. If the GCSB considers the proposal does not give rise to a network security risk Network Operators will be advised in writing and they may proceed with the proposal. 7. If the GCSB considers the proposal does give rise to a network security risk that is more than minimal GCSB will notify the network operator of that in writing. The network operator must not implement the proposal (section 51(1)). • The GCSB will provide what information it can about the network security risk to the Network Operator in order to assist the Network Operator to understand the network security risk, dependent on the classification of the information and whether or not the network operator has security cleared representatives. 8. After being advised that a proposal raises a network security risk(s), the network operator must, as soon as practicable, respond to the GCSB with a proposal to prevent or sufficiently mitigate the network security risk (section 51(3)). Mitigation may include withdrawing a proposal. 9. The GCSB will assess whether the plan prevents or sufficiently mitigates the risk (to the point that no, or minimal, network security risk remains) and will notify the network operator of the outcome in writing. 10. If the GCSB considers that the plan prevents or sufficiently mitigates the network security risk(s) identified in the proposal, the network operator can implement the proposal, as long as the mitigation measures are also implemented (section 52(3)(b)). 11. If the network operator’s mitigation plan does not prevent or sufficiently mitigate the network security risk, and that risk is a significant network security risk, the Director of the GCSB can decide to refer the matter to the Minister for the GCSB who can issue a direction requiring the network operator to carry out certain actions to mitigate or prevent the risk. This process is explained later in this Guidance. 12. If the Director decides not to refer the matter to the Minister, the network operator will be notified in writing of this and can proceed to implement the proposal. 16 National Cyber Security Centre Draft In-Confidence Further detail: The GCSB can require network operators to provide information (section 78 of the TICSA). If further information is requested under section 78, the Network Operator must provide it within the timeframe requested, or if not specified, within 20 working days (section 79). Figure 1: The Network Proposal Process 1. Network operator considers if proposal needs to be notified to GCSB (section 48 or 46(1)) 2.No 3.Unsure 4.Yes Network Operator can proceed Notify GCSB using template Notify proposal to GCSB using template 5. GCSB to consider whether proposal gives rise to network security risk 6. GCSB advises NO network security risk with the proposal Network Operator can proceed 7. GCSB advises YES network security risk with the proposal. Network Operator cannot implement the proposal at that time. 8. Network operator provides to GCSB a plan to prevent or mitigate the risk 9. GCSB assesses whether plan prevents or sufficiently mitigates the risk 10. GCSB advises the risk is prevented or sufficiently mitigated 11. GCSB advises the risk is not prevented or sufficiently mitigated Network Operator can proceed as long as mitigation plan implemented GCSB must decide whether it is a significant risk and whether to refer matter to Minister Note: A proposal may be withdrawn at any time by supplying notification in writing to the GCSB. Telecommunications (Interception Capability and Security) Act 2013 17 Draft In-Confidence Section 4: Understanding Risks Consideration of Network Security Risk Section 50 of the TICSA requires the GCSB to consider whether a proposed decision, course of action or change to an area of specified security interest in a network gives rise to a network security risk, or a significant network security risk. Section 50 (1) When considering whether a network security risk or significant network security risk is raised under this Part, the Director, or if the case requires, the Minister responsible for the Government Communications Security Bureau,— (a) must consider the likelihood that the matter giving rise to the risk will lead to— (i) the compromising or degrading of the public telecommunications network; and (ii) the impairment of the confidentiality, availability, or integrity of telecommunications across the network; and (b) must consider the potential effect that an event described in paragraph (a)(i) or (ii) will have on the provision of— (i) central or local government services: (ii) services within the finance sector: (iii) services within the energy sector: (iv) services within the food sector: (v) communication services: (vi) transport services: (vii) health services: (viii)education services; and (c) may consider any other matter that the Director or Minister considers relevant. GCSB’s consideration of network security risk involves consideration of the likelihood that the proposal (or part of it) will lead to the compromise or degradation of the public telecommunications network, and the impairment of the confidentiality, availability or integrity of telecommunications across the network, and the potential effect of that on the provision of important services. As explained earlier in this Guidance, consideration will not be given to ‘general’ network security risks (that is, network security risks which do not intersect with national security). A consistent methodology will be used to consider all proposals against the factors identified above. An example of a possible network security risk would be if a network operator’s proposal included allowing remote access to a core part of their network management system. This would be based on, in part, an assessment that controls are insufficient and could allow a motivated attacker to disable or compromise the network. Included in this assessment would be consideration of the likelihood of a successful compromise occurring and the impact that a successful attack would have on key services which were critically dependent on that network. The GCSB will draw on a range of information, including: i. the nature of the equipment ii. the operational model; iii. the network area; 18 National Cyber Security Centre Draft In-Confidence iv. whether independent assurance can be provided, for example, compliance with international standards, opportunity for an independent software audit; v. information about any of the companies involved, including past behaviour, any examples from other jurisdictions; and vi. classified information uniquely available to GCSB. This list is not exhaustive, and the relative weight of each factor may vary from proposal to proposal. The GCSB will endeavour to provide network operators with unclassified information to assist in their understanding of a network security risk. Where possible GCSB will also share further information about identified network security risks and about controls or mitigations with the security cleared representatives of the network operator, to assist them in providing informed guidance to their organisation. The GCSB will also assist the security cleared representatives to identify information that can be shared further within the business. Assessment of a Plan to Prevent or Sufficiently Mitigate a Network Security Risk The GCSB must assess whether the proposed prevention or mitigation plan will, if implemented, prevent or sufficiently mitigate the network security risk(s) that were identified. Mitigation or prevention plans could include; • Compensatory controls & plans to manage the risk over time • Preventative measures to avoid the risk • Withdrawal of the part of the proposal which creates the risk • Inclusion of security clauses in commercial contracts Included in this assessment will be consideration of whether the plan removes or prevents the network security risk, or whether compensatory controls can sufficiently reduce the network security risk to an acceptable level (no, or minimal network security risk). Using the example supplied previously, an example of a prevention plan could be to remove the remote access element of the proposal altogether, given the sensitivity of the access it would allow. Alternatively, a mitigation plan may include controls such as additional logging, multi-factor authentication and restricting access to other parts of the core when using remote access. When communicating decisions about network security risks, the GCSB will provide what information it can in order to identify the areas of concern within a proposal, so network operators can develop a better understanding of the network security risks as understood by the GCSB. Another example could be a proposal to build a new core service platform for business customers. The GCSB may consider a network security risk the fact that known vulnerabilities exist in the firmware of the equipment which could result in the wide scale leak of authentication credentials. The mitigation plan proposed by the network operator could involve increased controls around authentication for the service, and follow up notification to the GCSB once the vulnerability was patched in a later version. Communication of Outcomes At each stage of the process, the GCSB will notify the network operator of the GCSB’s conclusion about network security risk. At the completion of an initial consideration, written notification will be issued that a proposal either; a) does not give rise to a network security risk and the network operator may continue with the proposal, or; Telecommunications (Interception Capability and Security) Act 2013 19 Draft In-Confidence b) does give rise to a network security risk and the network operator cannot implement the proposal at that time (section 51(1)(b)) and is required to provide a mitigation plan as soon as practicable (section 51(3)). After assessing a network operator’s prevention or mitigation plan, the GCSB will advise the network operator in writing that either: a) the proposed plan (or parts of it) to prevent or mitigate the risk has been accepted, and the network operator may proceed to implement the proposal as modified by the mitigation plan; or, b) the proposed plan to prevent or mitigate the risk has not been accepted because it does not prevent or sufficiently mitigate a significant network security risk identified. The GCSB will advise the network operator whether the Director has decided to refer the case to the Minister or not. Summary of Timeframes Minimising disruption to Network Operator’s decision making processes is a fundamental part of the approach incorporated in the TICSA and this Guidance. Under section 8(2) the GCSB is subject to the principle that steps taken by the GCSB should be made or taken as soon as practicable. Therefore, while no deadlines are imposed by the TICSA, this section gives an indication of the timeframes anticipated during the proposal consideration process. The GCSB will provide a decision to the notification of proposal to the network operator as quickly as possible. Where a proposal is received that either does not require notification or an assessment can be completed quickly the GCSB will aim to respond to network operators as soon as possible, and within the time frames noted below. Initial Notification: In all cases the GCSB will acknowledge receipt of a notification from a network operator once all of the information described in the Form of Notification section has been provided, this will be no more than three working days. Written notice of the outcome of the GCSB’s consideration of the notified proposal will be given within 20 working days of the date of acknowledged receipt of the notification. If an extension of time is anticipated, the GCSB will contact the Network Operator to discuss as early as practicable, followed by confirmation in writing prior to the end of the 20 working day limit. It is important that the GCSB receives full and complete information on the proposal. If additional information is required the GCSB will contact the network operator to request this information. The 20 working day period for consideration of network security risk cannot begin until all requested information is received. If the assessment requires less than 20 days to complete, the outcome will be notified as soon as practicable. After Notification of a Network Security Risk In the event that a network security risk is identified, the network operator is required to provide its prevention or mitigation plan to the GCSB as soon as practicable. Once the prevention or mitigation plan has been provided, along with any additional information relevant to it, the GCSB will acknowledge receipt of the plan; this will be within three working days. The GCSB will assess the mitigation plan, and if it prevents or sufficiently mitigates the identified network security risks, will inform the network operator of this in writing. If the Director intends, or is considering referring the proposal to the Minister, the Director is immediately required to seek a view by the Commissioner of Security Warrants. These situations are likely to require an extension on the 20 working day timeframe. In these cases the GCSB will contact the network operator to discuss and confirm in writing prior to the end of the 20 working day limit. 20 National Cyber Security Centre Draft In-Confidence Section 5: Referrals Referral to the Minister To ensure significant network security risks are addressed, the TICSA includes provision for the Minister of the GCSB to make a direction requiring a network operator to take steps to prevent, sufficiently mitigate, or remove the network security risk (section 57). The Minister can only make a direction if a case has been referred to him or her by the Director of the GCSB. The Director can only refer a case to the Minister if there is a significant network security risk that has not been addressed, or if a network operator does not comply with certain duties (the duties are set out below). The Director can refer a case to the Minister if – • a mitigation plan does not prevent or sufficiently mitigate a significant network security risk; or • a network operator, despite being advised by the GCSB that a proposal cannot be implemented (s51), enters into a binding legal arrangement, implements a decision or commences a course of action or change that gives rise to a significant network security risk; or • a network operator fails to comply with a requirement to provide information to the GCSB (s78) and has entered into a binding legal arrangement, implemented a decision, or commenced a course of action or change that gives rise to a significant network security risk. If the Director is considering referring the case they must seek the view of the Commissioner of Security Warrants about the network security risk that has been identified (section 56). If the Director does decide to refer the case to the Minister, the network operator will be notified and will be invited to make submissions to the Minister. The Minister has to base their decision to issue a direction on a series of factors – these include those the Director must consider in identifying network security risk (section 50) and also those set out in section 57(2) of the TICSA: (2) Before making a direction under this section, the Minister must – (a) have regard to – (i) the nature and extent of the network security risk (ii) the impact on the network operator of meeting costs associated with the direction (iii) the potential consequences that the direction may have on competition and innovation in telecommunications markets (iv) the anticipated benefits to New Zealand from preventing, sufficiently mitigating, or removing the network security risk (v) the principle in section 8(4)[which is – The principle that the decision or exercise of the function or power should be proportionate to the network security risk.] (vi) the potential impact of the direction on trade (vii) any other matters that the Minister considers relevant; and (b) be satisfied that the direction is consistent with the purpose in section 7. [note reference in Guidance already] Telecommunications (Interception Capability and Security) Act 2013 21 Draft In-Confidence The Minister must also consult with the Minister of Trade and the Minister for Communications and Information Technology, and he or she must be satisfied that exercising his/her powers is necessary to prevent, sufficiently mitigate, or remove a significant network security risk. A Ministerial direction will be issued in writing to the affected network operator, with reasons (not including those parts of the reasons that would reveal classified information). Non-compliance with a Ministerial direction is considered a serious non-compliance under the TICSA and could result in an enforcement notice issued against the network operator by the Director of the GCSB, or a compliance pecuniary penalty order from the High Court. Guidance Revisions This Guidance may be amended from time to time for various reasons including if there are any changes to the notification requirements, or to the process for notification. In the event that major revisions of the guidance are necessary, the GCSB will consult with network operators as part of the revision process. Major revisions are considered to be any changes which substantively change one or more sections of the Guidance. In the event that minor revisions are required, consultation may not be initiated. Minor revisions are considered to be any changes which do not substantively change one or more sections of the Guidance. Each revision of the guidance will be supplied to the designated point of contact for a network operator, as provided in their registration details under Part 4, Section 62 of the TICSA. 22 National Cyber Security Centre